Magecart Hijacks eStore Checkouts, Stealing Hackers Uses

In one documented instance, a command-and-control server was disguised as a Redsys domain, specifically `redsysgate[.]com`. This exfiltration method is a deliberate tactical choice: WebSocket traffic frequently bypasses conventional HTTP-based security monitoring tools, significantly reducing the chance of real-time detection.

In a notable expansion of the attack surface, the same malicious payload also served as a delivery mechanism for Android APK files. When users accessed infected stores on mobile devices, the script displayed a prompt offering discounts or bonuses in exchange for downloading an app, complete with instructions to enable installation from “Unknown Sources.”

This mobile vector was localized in at least four languages, reinforcing that the campaign’s infrastructure was purpose-built, not improvised.

This campaign signals a maturation of Magecart-style attacks moving away from quick, opportunistic injections toward persistent, infrastructure-driven operations with real-time command-and-control.

For security teams, the key defensive priorities include monitoring outbound WebSocket connections from checkout pages, enforcing strict Content Security Policies (CSP), implementing JavaScript file integrity monitoring, and conducting regular third-party script audits.

For financial institutions, proactive threat intelligence sharing and enhanced fraud detection for card-not-present transactions remain critical countermeasures against this class of persistent, adaptive payment threat.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.